6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-6973 is an authenticated remote code execution vulnerability in Ivanti Endpoint Manager Mobile (EPMM) caused by improper input validation.
An authenticated attacker with administrative access can exploit this vulnerability by sending crafted requests to the affected system. Successful exploitation may allow arbitrary code execution on the underlying operating system, potentially leading to compromise of device management infrastructure and connected enterprise systems.
Ivanti confirmed limited exploitation of this vulnerability in the wild at the time of disclosure.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Authenticated Remote Code Execution Vulnerability in Ivanti Endpoint Manager Mobile
Identifier: CVE-2026-6973
CVSS Score: 7.2 (High, CVSS v3.1)
PoC or Exploitation:
Ivanti confirmed very limited exploitation of this vulnerability in the wild at the time of disclosure. There are no validated public proof-of-concept exploit codes confirmed.
Update/ Patch:
Update/ Patch:
Ivanti has released fixes for this vulnerability.
Affected versions include:
- Ivanti EPMM 12.6 prior to 12.6.1.1
- Ivanti EPMM 12.7 prior to 12.7.0.1
- Ivanti EPMM 12.8 prior to 12.8.0.1
Fixed versions include:
- Ivanti EPMM 12.6.1.1
- Ivanti EPMM 12.7.0.1
- Ivanti EPMM 12.8.0.1
Not affected:
Ivanti Neurons for MDM
Ivanti Endpoint Manager (EPM)
Ivanti Sentry
Ivanti advisory and patch guidance:
Description:
CVE-2026-6973 is an authenticated remote code execution vulnerability in Ivanti Endpoint Manager Mobile (EPMM) caused by improper input validation.
An authenticated remote attacker with administrative access can exploit the vulnerability by sending crafted requests to the affected system. Successful exploitation may allow arbitrary code execution on the underlying operating system.
Mitigation Recommendation:
Immediately upgrade Ivanti EPMM deployments to the fixed versions provided by Ivanti.
Prioritize patching internet-facing and externally accessible EPMM deployments.
Restrict administrative access to trusted management networks and enforce strong authentication controls.
Review privileged administrative accounts and remove unnecessary access.
Monitor logs for suspicious administrative actions, crafted requests, unexpected process execution, or anomalous system behavior.
Conduct threat hunting and forensic review on exposed systems, especially where exposure existed prior to patching.
